eBay problems won't go away

Hi, this is my first post here. First let me say that I did read the read me first thread and followed everything exactly. I'm thankful that it did solve a few problems I thought I'd never fix, like getting back my address bar. However, my original problem still remains.

When I go to eBay and click Sign In I'm getting redirected to a page that is obviously fake, asking me for things like my SS# and PIN number. HJT takes care of it temporarily but it keeps coming back. I've tried deleting my HJT backup files but that still doesn't help. It started out as one certain page but then it changes to something that looks more legitimate and believable (eg. they say the site had trouble during maintenence.) Here is the page I'm currently being taken to: http://signin.ebay.com/ws2/eBayISAPI.dll?SignIn&ssPageName=h:h:sin:US Also when I click on My eBay during this problem I get the Internet Explorer "This page cannot be displayed message."

Also around the time I started having this problem Internet Explorer started crashing constantly so I have to use SlimBrowser.

Also I went back to the read me first thread and removed MSJVM but that hasn't helped.

If anyone is able to help me kill this increasingly annoying problem that would be greatly appreciated. Thanks.

 

Hi TG,

If you are certain that you've exhausted the Tutorial's options ( including the Online Scans), then go ahead and send us a HijackThis Log. Make sure to follow the instructions below:

Note that your HijackThis should be up-to-date (v1.99) and MUST be extracted to its own safe folder – C:\Program Files\HijackThis!
If you need a Fresh Download of HJT, get it HERE: HijackThis v1.99

Also note that, before you scan, you MUST close all running programs including your web browser, e-mail and items in the system tray.

Please save your HJT Log as a .txt File and attach it via the "Manage Attachments" tool in the Additional Options section when you post.

I’ve been tied up with work these days, but somebody will try to take a look at your log when they get a chance.

Best
PP

 

Okay, I just did a new HJT scan and saved the log. Here it is. Thanks.

 

Hi TG,

Gave your log a quick look before hitting the sack. You should uninstall via Add/Remove Programs the following, if found:

Viewpoint
180 Search
TopConverting
MenuExtension

+ note any other suspicious entries.

Fix the following in HijackThis:
1 - Hosts: 209.151.89.50 signin.ebay.com

O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe

O4 - HKLM\..\Run: [IE Menu Extension toolbar] rundll32.exe "C:\PROGRA~1\IEMENU~1\tbextn.dll" DllShowTB

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe

Then, boot to Safe Mode and DELETE the following FOLDERS:

C:\Program Files\Windows ServeAd
C:\PROGRAM FILES\IEMENU..... --> There will likely be more to the title
C:\Program Files\Viewpoint

NOW:
Run CCleaner and SpybotSD. Then attach a fresh log and let me know how things are working. I'll try to check back Tuesday evening.

PP

 

Okay, I couldn't find Viewpoint in the Add/Remove list but I found Viewpoint Manager and deleted it. 180 Search, TopConverting, and MenuExtension weren't there.

After that I ran HiJack This and after looking carefully for it I couldn't find O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr_.exe. I did fix the other three, though.

I booted to safe mode and got rid of the ServeAd and IEMENU folders but the Viewpoint folder wouldn't delete.

Since I have a profile, I wanted to ask if it makes any difference that I'm just using that when I boot in safe mode or is it better if I log in as Administrator?

I haven't seen any hoax pages on eBay yet but I'll post back to this thread if I do.

 

P.S. - I just looked at my notes and noticed I had written this down . . .

C:\Program Files\WindowsSB\WinSB.DLL: infected

Obviously whichever scan picked that up couldn't fix it because it's still there. What should I do with it?

 

I didn't see this in your log, but it is malware. You should delete the entire folder --> C:\Program Files\WindowsSB (Windows SearchBar) One of the Cleanup Tools probably got most of it.

It is best to be logged on as administrator - How many active user accounts are on your machine?

You likely won't have problems with ebay unless this redirect returns -->01 - Hosts: 209.151.89.50 signin.ebay.com

Suggest you navigate to Hosts file and tell me what it says. Go to C:\Windows\System32\Drivers\Etc\Hosts and open with NotePad.

PP

 

I deleted the SearchBar folder.

Including Administrator there are three accounts on my computer. The other account isn't used very often and rarely is on the web so I doubt that any malware or viruses would've gotten through when it was on.

The Hosts file said: 127.0.0.1 localhost.

SlimBrowser is starting to crash more, just like Internet Explorer did.

I downloaded Firefox a few days ago due to my Explorer problems and as soon as I tried to log on to eBay (which I frequently use) I got the redirect so I wonder if this could've been something that I had but needed the Firefox installation to trigger it. I've removed it since.

If you can tell why I couldn't delete the Viewpoint folder I'm curious about that as well.

 

PS again - I looked through my notes and found this, I'm not sure if it's still there or not:

C:\hp\bin\Terminator.exe

Windows Explorer doesn't display an hp folder when I look at my C drive but the "a squared" scan found this and I don't remember if it fixed it or not.

 

Hosts file is OK as long as no other entries below 127.0.0.1 localhost

Viewpoint is mild spyware that comes bundled with AOL, and others. It isn't particularly evil. Did you try removing in Safe Mode as administrator?

About the ebay, with the hosts redirect, it was not related to FireFox.

I do not know what Terminator.exe is. Perhaps use Windows Explorer to find it - RightClick it to get Properties and Version information.

You should probably submit fresh HJT logs for both accounts in Normal Boot to be safe - up to you.

Definitely see Chaslang's Suggestions

PP

 

I tried deleting Viewpoint's folder under Admin in safe mode and it still won't budge, but if you say it's mild I won't worry about it.

I couldn't find Terminator.exe with Windows Explorer, so I'm guessing it's gone.

Attatched are fresh HJT logs for each profile.

 

Sorry for the double post, didn't upload those right.

 

Don't know why Viewpoint won't go easily - Probably not a big deal.

Log 1 - Remove O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm

C:\Program Files\Web_Rebates--> Delete Folder

Both logs FIX:
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe

C:\Program Files\Windows ServeAd --> Delete Folder

Other than those, looks OK

PP

 

Did that except I couldn't find the Web Rebates folder or the ServeAd folder, even after I logged into safe mode under Admin.

Save for that everything looks okay so if this is my last post in this thread thank you very much for your time.

 

Okay now a text file named hs_err_pid548 has appeared on my desktop starting out with:

#
# An unexpected error has been detected by HotSpot Virtual Machine:
#
# EXCEPTION_ACCESS_VIOLATION

Should I post the rest of it?

 

I am not too familiar with this Java plugin. Are you getting this error a lot and what problems are occurring?

PP

 

That's the only time I got it and I never got a dialog box for it. It just appeared in a text file on my desktop. That and I don't even remember ever installing any plugins for Java. I removed the old Microsoft one and replaced it with Sun Java like the chaslang thread said, that's all I know that could have anything to do with it.

Also today I got a DOS window with a dialog box in front of it with the header "16 bit MS-DOS Subsystem" that said . . .

C:\Windows\system32\config\cleaner.exe
C:\Windows\system32\AUTOEXEC.NT. The system file is not suitable for running MS-DOS and Windows applications. Click "Close" to terminate the application.

I clicked Close and haven't seen anything else from it . . . what does it mean?

 

I am not sure. Could be a number of things - Corrupt or missing files...?

Let's fix these entries with HijackThis for both logs:
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\system32\config\svchost.exe
O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe
Make sure all browser windows are closed when click FIX

Boot to Safe Mode with Viewing of Hidden Files Enabled and DELETE:

C:\WINDOWS\system32\config\winlogon.exe
C:\WINDOWS\system32\config\smss.exe
C:\WINDOWS\system32\config\svchost.exe
C:\Program Files\Windows ServeAd --> Folder, if you see it.

Make sure only to delete the entries in config folder as noted!!

Run CCleaner and Spybot, then attach fresh HJT logs and we'll see if that does the trick!!

PP

 

O4 - HKLM\..\Run: [Windows ServeAd] C:\Program Files\Windows ServeAd\WinServAd.exe wouldn't show in the HJT results for either profile.

Couldn't see the Windows ServeAd folder.

Other than that I was able to follow everything and I've attatched new HJT logs.

I should probably tell you a few other things that have been happening:

I got a dialog box before logging off recently that said "IEXPLORE.EXE - DLL Initialazation failed."

A couple of times over the last two days I've gotten a message from "Dr. Watson Postmortem Debugger" (I've never heard of it before) saying that it needed to close. Both times it happened when SlimBrowser crashed.

This is nothing new but for the past few months every time I shut down Windows I get a box asking me to wait for "hpcmpmgr.exe" to close and every time it stops and says it can't close it.

My Windows screen is a bit smaller. I'm seeing black borders in the space it used to fill and I think it's been this way since I first booted to safe mode, which was Sunday.

 

I can't upload the logs. It keeps saying there was an error.

 

What error message?

Try renaming them and see if that works.

I am heading out for a while, may check back in wee hours - Otherwise, Thursday evening.

PP

 

I keep getting this in the window that usually says they're done uploading:

Upload Errors
anotherhijackthislog.log:
Attachment in Progress. Can be deleted here.
hijackthislog.log:
Attachment in Progress. Can be deleted here.


Tried using different browsers but that didn't work.

 

Go ahead and copy and paste them into your post and I'll deal with them Thursday Evening when I get some free time

Here's a link for hpcmpmgr.exe

PP

 

How do I disable hpcmpmgr.exe?

 

You may do this via msconfig. I would suggest that you first check out this thread and see if that method of dealing with the problem appeals to you.

hpcmpmgr Disable

You should be able to find more info at HP as well.

Also, these lines need to be fixed in both HijackThis logs:
O4 - HKLM\..\Run: [Scheduler] C:\WINDOWS\system32\config\svchost.exe
O4 - HKLM\..\Run: [Service Control Process] C:\WINDOWS\system32\config\winlogon.exe
O4 - HKLM\..\Run: [Services Process] C:\WINDOWS\system32\config\smss.exe

Doublecheck and make sure that the files do not remain in the config folder. Also, tell me what else is in that folder.

How are things running now? What problems remain?

PP

 

Those files are now out of the config folder. What's left is the subfolder named "systemprofile" and these files:

AppEvent.Evt
cleaner.exe
default
default.LOG
default.sav
SAM
SAM.LOG
SecEvent.Evt
SECURITY
SECURITY.LOG
software
software.log
software.sav
SysEvent.Evt
system
system.LOG
system.sav
TempKey.LOG
userdiff
userdiff.LOG

I don't seem to be having the hpcmpmgr.exe problem anymore; I tried to run the program that was linked to the thread you showed (I did a virus check first as the guy recommended) but nothing showed up on the screen and instead I just saw something blink on my taskbar really fast a few times. So I went through the msconfig process and couldn't find hpcmpmgr.exe but I did find and empty space in the list with a checked box . . . I left that alone. When I restarted my computer the Compaq Organize startup item, which I disabled months ago, appeared. Also a window that looked like it would've appeared the first time I ran the computer told me that I had CD and DVD backup capabilities. It asked if I never wanted to see it again and I clicked 'Yes.'

The Windows screen is still small and I still don't know what Dr. Watson's Postmortem Debugger is or how I got it, although I haven't seen the shutdown message from it yet.

 

Try DoubleClicking on the Windows screen border and see if that resolves the size issue.
Dr. Watson Postmortem is due to your browser crashing, as you mentioned. Google it and you'll get far better explanation than I could provide!

You are probably good to go. How's the eBay working? I'll check back Friday when I find free time.

Definitely take a look at Chaslang's recommendations HERE:How to protect yourself from malware!

PP

 

I'm not sure what you mean by the Windows screen border. I try dragging over as far to the edge as I can go and double clicking but that doesn't do anything.

eBay and everything else is working fine. Thank you so much again for your time.

 

Try doubleclicking on the blue border and see if that works?

PP

 

I don't have a blue border . . . where would I see it? Are you talking about the taskbar?

 

I'm probably confused - I thought you were referring to IE and the Window not filling the whole screen. To which window are you referring?

PP

 

I'm referring to anything I see when I'm in Windows . . . programs, my desktop, games, full screen videos, anything. Like there's the normal black border that's always been around the screen but then anything I have on the screen while I'm in Windows normal mode has a border with a lighter shade of black around it, and it's particualrly wide on the right hand side.

When I'm in safe mode the screen gets squeezed over to the left and all the desktop icons are bigger. I don't know if that's just to be expected but Windows normal mode has been like this ever since my first time in safe mode.

 

This sounds like a settings issue that needs to be remedied. I still think you should try DoubleClicking on the border to see if that maximizes the window.
Also, try looking in Control Panel > Appearances and Themes > Display Properties and see if can be adjusted.

PP

 

There is no border. I'm not talking about what I see when I'm in Windows Explorer; I know what you're talking about - when I'm any Windows program I just need to doubleclick the top line to maximize or minimize it - but that's not what I mean. I mean, I'll just be looking at the desktop with no programs running and the whole screen is still small. It's not taking up as much space on the monitor as it should. If I play a game or a video that's supposed to take up the full screen it doesn't expand beyond this black border. There is a black border that should be and always has been there, but now there's a bunch of empty space that the screen isn't filling.

I'm very familiar with Display Properties and there's nothing in there that can solve this.

 

Man, I must be getting slow in my old age and brain shrinking as well!
I have not run across this before, so I am not sure how to address the problem. I'll ask for a second opinion from some other members.

Did you try adjusting the positioning and image settings on your monitor? I would imagine the problem could be corrected that way.

Hang in there and I'll see if I can get a second pair of eyes to take a look.

PP

 

Try rebooting.

Steve

 

On my old computer the monitor had some dials under it that I could play around with and it would adjust it in this way, but my new computer's monitor doesn't have anything like that so I'm not sure how to adjust it.

Steve, I've rebooted many times but it's been like this for almost a week.

 

You've got to have some kind of Horizontal / Vertical control for positioning?

What brand and model# for your monitor?

 

Under settings in display properties, what are your screen area settings? Change or experiment with them.

Steve

 

It's a Compaq 7550 monitor.

I don't see anything under settings in display properties that says "screen area settings." My screen resolution is 1280 by 1024 pixels but messing around with that didn't do anything. I looked through display properties/settings/advanced but I couldn't find anything that seemed to relate to the problem.

 

Your monitor should have button to launch OnScreen Display of settings. You should then be able to adjust accordingly the horizontal and vertical, etc. . . See "Operation" section here:

http://www.radioshack.com/images/ProductCatalog/Manuals/OME25-618.pdf

Note the adjustments for vertical size and horizontal size.

PP

 

That's just what I needed, except I can't get it back to the original setting. Do you know where I might get the default setting?

 

P.S. - I did find the reset button in the OSD panel but it doesn't seem to be working.

 

Did you get any Software with the monitor? If so, try reinstalling it, that might give you the default settings or fix the reset button.

Steve